For Navigator Encrypt to run as a kernel module, you must download and install the kernel development headers. Each kernel module is compiled specifically for the underlying kernel
version. Running as a kernel module allows Navigator Encrypt to provide high performance and completely transparency to user-space applications.

To determine your current kernel version, run uname -r.

To install the development headers for your current kernel version, run:

The Network Time Protocol (NTP) service synchronizes system time. Cloudera recommends using NTP to ensure that timestamps in system logs, cryptographic signatures, and other auditable
events are consistent across systems. Install and start NTP with the following commands:

Edit /etc/modprobe.d/unsupported-modules and set allow_unsupported_modules to 1. For
example:

#
# Every kernel module has a flag 'supported'. If this flag is not set loading
# this module will taint your kernel. You will not get much help with a kernel
# problem if your kernel is marked as tainted. In this case you firstly have
# to avoid loading of unsupported modules.
#
# Setting allow_unsupported_modules 1 enables loading of unsupported modules
# by modprobe, setting allow_unsupported_modules 0 disables it. This can
# be overridden using the --allow-unsupported-modules command line switch.
allow_unsupported_modules 1

The Network Time Protocol (NTP) service synchronizes system time. Cloudera recommends using NTP to ensure that timestamps in system logs, cryptographic signatures, and other auditable
events are consistent across systems. Install and start NTP with the following commands:

$ sudo apt-get install ntp
$ sudo /etc/init.d/ntp start

Install Kernel Headers

Determine your kernel version by running uname -r, and install the appropriate headers:

$ sudo apt-get install linux-headers-$(uname -r)

Install the Navigator Encrypt Client

Install Navigator Encrypt:

$ sudo apt-get install navencrypt

Post Installation

To ensure that Navigator Encrypt and NTP start after a reboot, add them to the start order with chkconfig:

AES-NI and RDRAND

The Advanced Encryption Standard New Instructions (AES-NI) instruction set is designed to improve the speed of encryption and decryption using AES. Some newer processors come with
AES-NI, which can be enabled on a per-server basis.

Both the eCryptfs and dm-crypt back ends for Navigator Encrypt can automatically detect and use AES-NI if it is available. If you are uncertain whether AES-NI is available on a device,
run the following command to verify:

$ grep -o aes /proc/cpuinfo

To determine whether the AES-NI kernel module is loaded, run the following command:

$ sudo lsmod | grep aesni

If the CPU supports AES-NI but the kernel module is not loaded, see your operating system documentation for instructions on installing the aesni-intel
module.

Navigator Encrypt needs a source of random numbers if it is using dm-crypt as its back end. Use rng-tools version 4 or higher to seed the system’s
entropy pool, using the RDRAND instruction. To install and start rngd:

Once you have installed rng-tools, start the rngd daemon by running the following command as root:

$ sudo rngd --no-tpm=1 -o /dev/random

Setting Up TLS for Navigator Encrypt Clients

Transport Layer Security (TLS) certificates are used to secure communication with Navigator Encrypt. Cloudera strongly recommends using certificates signed by a trusted Certificate
Authority (CA).

If the TLS certificate is signed by an unrecognized CA, such as an internal CA, then you must add the root certificate to the host certificate truststore of each Navigator Encrypt
client. Be aware that Navigator Encrypt uses the operating system's truststore, which is distinct from the JDK truststore used by Cloudera Manager.

Entropy Requirements

Many cryptographic operations, such as those used with TLS or HDFS encryption, require a sufficient level of system entropy to ensure randomness; likewise, Navigator Encrypt needs a source of random numbers to ensure good performance. Hence,
you need to make sure that the hosts running Navigator Encrypt (as well as Key Trustee Server, Key Trustee KMS) and have sufficient entropy to perform cryptographic operations.

You can check the available entropy on a Linux system by running the following command:

$ cat /proc/sys/kernel/random/entropy_avail

The output displays the entropy currently available. Check the entropy several times to determine the state of the entropy pool on the system. If the entropy is consistently low (500 or
less), you must increase it by installing rng-tools version 4 or higher, and starting the rngd service.

Install rng_tools Using Package Manager

If version 4 or higher of the rng-tools package is available from the local package manager (yum), then install it directly
from the package manager. If the appropriate version of rng-tools is unavailable, see Building rng-tools From Source.

Note: If you're using RHEL 6.7 and later, or recent versions of Ubuntu, Debian, and SLES, then package manager should provide version 4.x or
higher. Be sure to check the version of rng-tools provided by your package manager before installation to determine whether or not you need to build from source
instead.

Reinstalling Navigator Encrypt

When Navigator Encrypt is uninstalled, the configuration files and directories located in /etc/navencrypt are not removed. Consequently, you do not need to
use the navencrypt register command during reinstallation. If you no longer require the previous installation configuration information in the directory /etc/navencrypt, you can remove its contents.

If this documentation includes code, including but not limited to, code examples, Cloudera makes this available to you under the terms of the Apache License, Version 2.0, including any required
notices. A copy of the Apache License Version 2.0 can be found here.